esdm: 1.2.0 -> 1.2.1; esdm: update options and cleanup maintainers; botanEsdm:...

      {

        systemd.packages = [ cfg.package ];

        systemd.services."esdm-server".wantedBy = [ "basic.target" ];

        systemd.services."esdm-kernel-seeder".wantedBy = [ "basic.target" ];

      }

      # It is necessary to set those options for these services to be started by systemd in NixOS

      (lib.mkIf cfg.enableLinuxCompatServices {

  );

  meta.maintainers = with lib.maintainers; [

    orichter

    thillux

  ];

}

  # A brief explanation is given.

  # general options

  selinux ? false, # enable selinux support

  drngHashDrbg ? true, # set the default drng callback

  drngChaCha20 ? false, # set the default drng callback

  ais2031 ? false, # set the seeding strategy to be compliant with AIS 20/31

  sp80090c ? false, # set compliance with NIST SP800-90C

  cryptoBackend ? "builtin", # set backend for hash and drbg operations

  selinux ? true, # enable selinux support

  fips140 ? true, # enable FIPS 140 checksum support

  ais2031 ? true, # set the seeding strategy to be compliant with AIS 20/31

  sp80090c ? true, # set compliance with NIST SP800-90C

  cryptoBackend ? "botan", # set backend for hash and drbg operations

  linuxDevFiles ? true, # enable linux /dev/random and /dev/urandom support

  linuxGetRandom ? true, # enable linux getrandom support

  hashSha512 ? false, # set the conditioning hash: SHA2-512

  hashSha3_512 ? true, # set the conditioning hash: SHA3-512

  openSSLRandProvider ? false, # build ESDM provider for OpenSSL 3.x

  botanRng ? false, # build ESDM class for Botan 3.x

  # client-related options (handle with care, consult source code and meson options)

  # leave as is if in doubt

  connectTimeoutExponent ? 28, # (1 << EXPONENT nanoseconds)

  rxTxTimeoutExponent ? 28, # (1 << EXPONENT nanoseconds)

  reconnectAttempts ? 10, # how often to attempt unix socket connection before giving up

  openSSLRandProvider ? true, # build ESDM provider for OpenSSL 3.x

  maxThreads ? 1024, # number of RPC handler threads

  validationHelpers ? true, # used to analyze entropy output from esdm_es

  numAuxPools ? 128, # use multiple hash pools for e.g. smartcard input

  serverTermOnSignal ? false, # use select with timeout in server watch loop

  # entropy sources

  esJitterRng ? true, # enable support for the entropy source: jitter rng (running in user space)

  esJitterRngEntropyRate ? 256, # amount of entropy to account for jitter rng source

  esJitterRngKernel ? true, # enable support for the entropy source: jitter rng (running in kernel space)

  esJitterRngEntropyBlocks ? 128, # number of cached entropy blocks for jitterentropy

  esJitterRngKernel ? false, # enable support for the entropy source: jitter rng (running in kernel space)

  esJitterRngKernelEntropyRate ? 256, # amount of entropy to account for kernel jitter rng source

  esCPU ? true, # enable support for the entropy source: cpu-based entropy

  esCPUEntropyRate ? 8, # amount of entropy to account for cpu rng source

  esKernel ? true, # enable support for the entropy source: kernel-based entropy

  esKernelEntropyRate ? 128, # amount of entropy to account for kernel-based source

  esCPUEntropyRate ? 256, # amount of entropy to account for cpu rng source

  esKernel ? false, # enable support for the entropy source: kernel-based entropy

  esKernelEntropyRate ? 256, # amount of entropy to account for kernel-based source

  esIRQ ? false, # enable support for the entropy source: interrupt-based entropy

  esIRQEntropyRate ? 256, # amount of entropy to account for interrupt-based source (only set irq XOR sched != 0)

  esSched ? false, # enable support for the entropy source: scheduler-based entropy

  esSchedEntropyRate ? 0, # amount of entropy to account for interrupt-based source (only set irq XOR sched != 0)

  esHwrand ? true, # enable support for the entropy source: /dev/hwrng

  esHwrandEntropyRate ? 128, # amount of entropy to account for /dev/hwrng-based sources

  esHwrandEntropyRate ? 256, # amount of entropy to account for /dev/hwrng-based sources

  # kernel seeding

  linuxKernelReseedInterval ? 60, # how often to push entropy into Linux kernel, iff seeder service is started

  linuxKernelReseedEntropyRate ? 256, # how many bits to account on kernel (re-)seeding

}:

assert drngHashDrbg != drngChaCha20;

assert hashSha512 != hashSha3_512;

assert cryptoBackend == "openssl" || cryptoBackend == "botan" || cryptoBackend == "builtin";

assert cryptoBackend == "openssl" || cryptoBackend == "botan";

stdenv.mkDerivation rec {

  pname = "esdm";

  version = "1.2.0";

  version = "1.2.1";

  src = fetchFromGitHub {

    owner = "smuellerDD";

    repo = "esdm";

    rev = "v${version}";

    hash = "sha256-5XctrI02pfCgK1P76AaSkMjiQqav6LX3SMjKr4F44sw=";

    hash = "sha256-41vc5mB2MiQJu0HXFzSjiudlu1sRj2IP8FcFPQfu5uo=";

  };

  nativeBuildInputs = [

  ];

  buildInputs =

    lib.optional (cryptoBackend == "botan" || botanRng) botan3

    lib.optional (cryptoBackend == "botan") botan3

    ++ lib.optional (cryptoBackend == "openssl" || openSSLRandProvider) openssl

    ++ lib.optional selinux libselinux

    ++ lib.optional esJitterRng jitterentropy

  propagatedBuildInputs = [ protobufc ];

  mesonFlags = [

    (lib.mesonBool "b_lto" false)

    (lib.mesonBool "fips140" false)

    (lib.mesonBool "b_lto" true)

    (lib.mesonBool "fips140" fips140)

    (lib.mesonBool "ais2031" ais2031)

    (lib.mesonBool "sp80090c" sp80090c)

    (lib.mesonEnable "node" true) # multiple DRNGs

    (lib.mesonOption "threading_max_threads" (toString 64))

    (lib.mesonEnable "systemd" true) # systemd notify and socket support

    (lib.mesonOption "threading_max_threads" (toString maxThreads))

    (lib.mesonOption "crypto_backend" cryptoBackend)

    (lib.mesonEnable "linux-devfiles" linuxDevFiles)

    (lib.mesonEnable "linux-getrandom" linuxGetRandom)

    (lib.mesonOption "client-connect-timeout-exponent" (toString connectTimeoutExponent))

    (lib.mesonOption "client-rx-tx-timeout-exponent" (toString rxTxTimeoutExponent))

    (lib.mesonOption "client-reconnect-attempts" (toString reconnectAttempts))

    (lib.mesonEnable "es_jent" esJitterRng)

    (lib.mesonOption "es_jent_entropy_rate" (toString esJitterRngEntropyRate))

    (lib.mesonOption "es_jent_entropy_blocks" (toString esJitterRngEntropyBlocks))

    (lib.mesonEnable "es_jent_kernel" esJitterRngKernel)

    (lib.mesonOption "es_jent_kernel_entropy_rate" (toString esJitterRngKernelEntropyRate))

    (lib.mesonEnable "es_cpu" esCPU)

    (lib.mesonOption "es_sched_entropy_rate" (toString esSchedEntropyRate))

    (lib.mesonEnable "es_hwrand" esHwrand)

    (lib.mesonOption "es_hwrand_entropy_rate" (toString esHwrandEntropyRate))

    (lib.mesonEnable "hash_sha512" hashSha512)

    (lib.mesonEnable "hash_sha3_512" hashSha3_512)

    (lib.mesonEnable "selinux" selinux)

    (lib.mesonEnable "drng_hash_drbg" drngHashDrbg)

    (lib.mesonEnable "drng_chacha20" drngChaCha20)

    (lib.mesonEnable "openssl-rand-provider" openSSLRandProvider)

    (lib.mesonEnable "botan-rng" botanRng)

    (lib.mesonOption "linux-reseed-interval" (toString linuxKernelReseedInterval))

    (lib.mesonOption "linux-reseed-entropy-count" (toString linuxKernelReseedEntropyRate))

    (lib.mesonEnable "validation-helpers" validationHelpers)

    (lib.mesonOption "num-aux-pools" (toString numAuxPools))

    (lib.mesonBool "esdm-server-term-on-signal" serverTermOnSignal)

  ];

  postFixup = lib.optionals fips140 ''

    $out/bin/esdm-tool --fips-checkfile $out/bin/.esdm-server.hmac \

                       --fips-targetfile $out/bin/esdm-server

  '';

  doCheck = true;

  strictDeps = true;

    ];

    platforms = lib.platforms.linux;

    maintainers = with lib.maintainers; [

      orichter

      thillux

    ];

  };

    botan2

    botan3

    ;

  botanEsdm = botan3.override { withEsdm = true; };

  c-ares = callPackage ../development/libraries/c-ares { };